check for match against debian archive

[vagrantc]

Wild off-the-top-of-my head wishlist item here:

buildinfo.debian.net appears to check if there are buildinfo files that successfully reproduced the binaries:

https://buildinfo.debian.net/sources/u-boot/2018.07+dfsg-1

It would be interesting if it could compare the produced hashes against the in-archive packages, and see which .buildinfo files match, and ideally expose matching in-archive .deb with some api, so someone could ask to explicitly rebuild against the archive by querying buildinfo.debian.net.

I'm sure this requires a fair amount of additional parsing; e.g. downloading all the Packages files for target architectures on a regular basis, and then updating the whole database.

Maybe it's infeasible, or the wrong place to do this sort of thing.

The main advantage to this approach is it would allow to retroactively provide a database of .buildinfo files that match the in-archive files once we get around to publicly publishing the .buildinfo files that are currently uploaded to the official Debian archive... and also .buildinfo files that happened to match the archive from our test infrastructure.

[lamby]

Wouldn't we get this "for free" once we simply push the archive ones to buildinfo.debian.net?

[vagrantc]

Wouldn't we get this "for free" once we simply push the archive ones
to buildinfo.debian.net?

We could manually compare them, but the idea is to have a way to
identify which binaries in the official Debian archive are correlated
with which known .buildinfo files.

Currently, there's no tracking in buildinfo.debian.net of anything
other than what's published in .buildinfo files; this would at least
require an extra data source (e.g. Packages files from the archive)
and tying that to the corresponding .buildinfo files.

I suppose at import time, you could flag those .buildinfo files in
some special way...

The .buildinfo files that produced matching binary packages in the
Debian archive are, at least to me, more interesting than the ones
that are arbitrary builds from the test infrastructure. So it would be
nice if those could be flagged somehow in the UI and API.

Maybe some additional service would be a more appropriate place to
implement a correlation between in-archive Packages files and
.buildinfo files uploaded to buildinfo.debian.net.

[lamby]

Tthe .buildinfo files are signed by the buildds (which we are recording in buildinfo.debian.net) so unless I'm missing someting we would simply mark these set of signatures as "official Debian" and use that for a comparison; no need for this Packages files matching AIUI?

[vagrantc]

the .buildinfo files are signed by the buildds (which we are
recording in buildinfo.debian.net) so unless I'm missing someting we
would simply mark these set of signatures as "official Debian" and
use that for a comparison; no need for this Packages files matching
AIUI?

Sure, if you have a set of known buildd keys and ways of keeping them
updated (and the historically valid keys as well), that would be a
mostly ok assumption.

It wouldn't catch binary uploads from developers, which is still
unfortunately all-too-common practice. Marking all developer-signed
.buildinfos as "official Debian" wouldn't be appropriate, since
developers may upload a signed .buildinfo with a source-only upload,
which doesn't necessarily match the binaries in the archive.

[lamby]

wfm